• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 349
  • Last Modified:

PIX config is not giving VPN clients a gateway address

I am using Cisco VPN client 4.6 and running PIX version  6.3(5). Everything with my vpn is working properly except that my VPN clients are not getting the Gateway pushed out to them, which is causing intermittent DNS issues. Here is a copy of the relevant parts from my PIX config. Please let me know what the command to add the gateway to clients would be or what else you may recommend. I will be looking into this myself and will post the solution if I beat you to the reply. Thanks in advance.

NDIFW# sho run
: Saved
:
PIX Version 6.3(5)
ip audit info action alarm
ip audit attack action alarm
ip local pool testPool 10.23.5.1-10.23.5.100
no pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 64.112.172.135 netmask 255.255.255.255
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 0 access-list dmz_nat
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 64.132.112.129 1
route inside 10.1.0.0 255.255.0.0 172.16.0.1 1
route inside 172.29.0.0 255.255.0.0 172.16.0.1 1
route inside 172.31.0.0 255.255.0.0 172.16.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 172.16.2.1 "" timeout 10
aaa authentication ssh console partnerauth
http server enable
http 172.16.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set clientset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set clientset
crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap client authentication partnerauth
crypto map newmap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup test address-pool testPool
vpngroup test dns-server 172.16.2.1
vpngroup test wins-server 172.16.2.1
vpngroup test default-domain test.com
vpngroup test split-tunnel ndigroup_splitTunnelAcl
vpngroup test idle-time 1800
vpngroup test password
telnet timeout 5
ssh 172.16.0.0 255.255.0.0 inside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:3d22cb5763216d661f6f25c44e8659d1
: end
0
Natldiag
Asked:
Natldiag
  • 2
1 Solution
 
naveedbCommented:
You want all the traffic to come throught the PIX? take out 'vpngroup test split-tunnel ndigroup_splitTunnelAcl' with

no vpngroup test split-tunnel ndigroup_splitTunnelAcl

This will make the tunnel gateway for all traffic from VPN clients.
0
 
NatldiagAuthor Commented:
I removed this command from my config and confirmed that the gateway is now being pushed out through the VPN client. I started to do a little research on this command, but still can not find out the benefit of it being put into my config in the first place, any ideas? I inherited this config. DNS is now resolving through VPN. Thanks for the help!
0
 
naveedbCommented:
It is used for security reasons, if you want to limit access to your internetal network, you use the split-tunnel to define interesting traffic that will pass through the VPN tunnell. All other traffic will use Client's default gateway (commonly internet traffic).
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now